Taking the biscuit: How to comply with the new UK cookie law

When a government department asked website visitors to opt in to receive an analytics cookie, most visitors said: “Thanks, but no thanks.” The site’s measured traffic fell by 90%. What scared most web designers is that they would soon suffer the same fate.

The department was the Information Commissioner’s Office (ICO), and it had introduced the opt-in to comply with the new “cookie law” (the Privacy and Electronic Communications (EC Directive) Regulations 2003), which it is responsible for enforcing. The aim of the law is to stop people being profiled online without their knowledge, and it requires websites to seek permission before setting cookies. Cookies are simple text files stored on a user’s device so a website can recognise them, and they are used particularly for advertising and analytics. Web designers panicked that they would have to get visitors to opt in before they could set any cookies, but the ICO’s own experience showed how devastating that could be.

Then, at the eleventh hour, just as the law was coming into effect, the ICO softened its guidance to say that implied consent could be enough. That means: if you’ve told your visitors you use cookies and they carry on using the site, you could be in the clear. The ICO warns, though, that implied consent is not a euphemism for doing nothing, and if people don’t understand what you’re doing, there’s no consent at all.

For simplicity’s sake, ICO just talks about cookies, but uses the term to mean any form of local storage. Under the new law, websites using cookies must:

Tell visitors the cookies are there;

Explain what the cookies are doing; and

Obtain visitors’ consent to store a cookie on their devices.

There is (and always has been) an exception where a cookie is strictly necessary to perform an action a user has requested, such as a shopping cart. But analytics and advertising cookies don’t fall under that exception, however vital they might be to the website owner.

The ICO recommends websites take a three-step approach: first, audit your site to work out what cookies it uses; then assess how intrusive those cookies are; and finally decide on a solution to obtain consent where you need it.

Search and social media agency DBD Media offers a cookie audit service. Axelle Ros, Conversion Analytics Consultant, says: “Most sites use a variety of cookies, and it is not unusual to find a website with over 500 cookies. We found throughout our audits that cookies required by web design features (such as session cookies or online shopping carts) represent at most one out of 10 cookies across an entire website. We’ve seen a few instances of obsolete cookies. These are generally caused by tag-based tools which have been trialled or tested on the website and later discontinued without removing the tags.”

Once you’ve removed obsolete cookies, you need to get consent for any that are not “strictly necessary”. There are lots of different ways to do this. BBC Good Food uses a prominent pop-up box to alert users to cookies and provides links for more information, including how they can opt-out from third-party advertising cookies. John Lewis and Nationwide carry a single-line banner at the top of the screen, with links to further information. Debenhams and B&Q push their cookies statements to the bottom of the screen. The UKWDA has created a joint Privacy and Cookie Policy and linked it from the website’s footer. The ICO advises that the more intrusive your cookies are (from the website user’s point of view), the more explicit the consent will need to be.

So what’s the bare minimum you can do to comply? “That’s up for a lot of debate,” says Chris Saunders, a solicitor at legal firm Mundays. “I can’t tell you what the minimum is. I can tell you what the belt and braces approach is, which is to fully inform your end user about all the cookies you’re using, and about how they’re going to be used, and to ensure that no cookies are placed on the computer before you obtain their active consent.”

Nick Tusler is Data Operations Director at TMW, a creative agency based in London with clients including Diageo, Unilever, Nissan and Sainsbury’s. He has a pragmatic view: “The bare minimum is to provide a clearly written cookie policy which sets out what cookies are, how they are used and which cookies are used for what purpose. The policy should be distinct from other privacy or terms and conditions on the site. Good clear sign-posting should be used for the link which should point directly to the cookie policy. Clear instructions as to how to manage cookies need to be included which should be handled through functionality within the website or application. However, there are many examples where users are encouraged to use browser settings to disable cookies if they choose. Although this approach is not strictly compliant, the risk of attracting attention from the enforcer of the legislation is probably very low.”

What happens if you don’t comply? “There are a range of sanctions which include orders forcing a company to do something, or refrain from doing something and fines up to £500,000,” says Edward Coxall, Partner at Mayo Wynne Baxter solicitors. “Yet the ICO does have discretion and has indicated that no enforcement action will be taken as long as companies can demonstrate they are taking steps to comply, starting with an audit of the cookies they actually use.”

“I don’t think the consequences are that severe,” says Kathryn Wynn, a senior associate at legal firm Pinsent Masons. She adds that cookies are unlikely to cause the substantial harm required to justify a fine. “The risk is that you get investigated by the ICO and then have to quickly change what you’re doing. The ICO has said it is going to target enforcement, so if your organisation is not a household name and you’re not using intrusive cookies, the risk of enforcement is low.”

Chris Saunders adds: “Whether someone complains about you is the big issue. I don’t think the ICO will go out looking for people to impose this regulation on, but I think they will be hard on people who are blatantly ignoring it.”